XML Signature (also called XMLDSig, XML-DSig, XML-Sig) defines an XML syntax for digital signatures and is defined in the W3C recommendation XML Signature Syntax and Processing. Functionally, it has much in common with PKCS#7 but is more extensible and geared towards signing XML documents. It is used by various Web technologies such as SOAP, SAML, and others.

XML signatures can be used to sign data–a resource–of any type, typically XML documents, but anything that is accessible via a URL can be signed. An XML signature used to sign a resource outside its containing XML document is called a detached signature; if it is used to sign some part of its containing document, it is called an enveloped signature; if it contains the signed data within itself it is called an enveloping signature.

1 Configure XML-DSig

You can configure a few parameters before signing a document.

1.1 Select Digest method

You can select any of the available methods (default is SHA256):

SHA1
SHA224
SHA256
SHA384
SHA512
RIPEMD160
SHA3_224
SHA3_256
SHA3_384
SHA3_512

Copy

<script>
    var dbf = new Ax.xml.DocumentBuilderFactory();
    dbf.setNamespaceAware(true);
   
    var xml = dbf.parse("<rootxmldoc><tag1 /></rootxmldoc>");
    
    var dst = new Ax.crypt.XMLDSig(xml);
    console.log(dst.getDigestMethod());
    dst.setDigestMethod("SHA512");
</script>

1.2 Select Signature method

You can select any of the available methods (default is RSA_SHA256):

DSA_SHA1
DSA_SHA256
ECDSA_SHA1
ECDSA_SHA1224
ECDSA_SHA256
ECDSA_SHA384
ECDSA_SHA512
HMAC_SHA1
HMAC_SHA224
HMAC_SHA384
HMAC_SHA512
RSA_SHA1
RSA_SHA224
RSA_SHA256
RSA_SHA384
RSA_SHA512
SHA1_RSA_MGF1
SHA224_RSA_MGF1
SHA224_RSA_MGF1
SHA384_RSA_MGF1
SHA512_RSA_MGF1

Signature method is usualy based on the type of key. If you use a RSA key, signature method should be a RSA method. If you use a DSA key, signature method should be a DSA method.

Copy

<script>
    var dbf = new Ax.xml.DocumentBuilderFactory();
    dbf.setNamespaceAware(true);
   
    var xml = dbf.parse("<rootxmldoc><tag1 /></rootxmldoc>");
    
    var dst = new Ax.crypt.XMLDSig(xml);
    console.log("Digest Method ...: " + dst.getDigestMethod());
    dst.setDigestMethod("SHA512");
    console.log("Signature Method : " + dst.getSignatureMethod());
    dst.setSignatureMethod("RSA_SHA1");
</script>

1.3 Select Canonicalization method

CanonicalizationMethod (transform) method can selected by using one of the following constants (default is ENVELOPED).

ENVELOPED	http://www.w3.org/2000/09/xmldsig#enveloped-signature
INCLUSIVE	http://www.w3.org/TR/2001/REC-xml-c14n-20010315
INCLUSIVE_WITH_COMMENTS	http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
EXCLUSIVE	http://www.w3.org/2001/10/xml-exc-c14n#
EXCLUSIVE_WITH_COMMENTS	http://www.w3.org/2001/10/xml-exc-c14n#WithComments
BASE64	http://www.w3.org/2000/09/xmldsig#base64
XPATH	http://www.w3.org/TR/1999/REC-xpath-19991116
XPATH2	http://www.w3.org/2002/06/xmldsig-filter2

Copy

<script>
    var dbf = new Ax.xml.DocumentBuilderFactory();
    dbf.setNamespaceAware(true);
   
    var xml = dbf.parse("<rootxmldoc><tag1 /></rootxmldoc>");
    
    var dst = new Ax.crypt.XMLDSig(xml);
    dst.setDigestMethod("SHA512");
    dst.setSignatureMethod("RSA_SHA1");
    dst.setCanonicalizationMethod("ENVELOPED");

    console.log("Digest Method ...: " + dst.getDigestMethod());
    console.log("Signature Method : " + dst.getSignatureMethod());
    console.log("is Enveloped?... : " + dst.isEnveloped());

</script>

1.4 Signature Namespace

This method allows to define the name of namespace for signature tag generated by XMLDsig.

Copy

<script>
    // Load a keystore
    var ks = new Ax.ks.KeyStoreManager("https://bitbucket.org/deister/axional-docs-resources/raw/master/KeyStores/swview/jks-files/jack.jks", "secret");

    var dbf = new Ax.xml.DocumentBuilderFactory();
    dbf.setNamespaceAware(true);
   
    var xml = dbf.parse("<rootxmldoc><tag1 /></rootxmldoc>");
    
    var dst = new Ax.crypt.XMLDSig(xml);
    dst.setDigestMethod("SHA512");
    dst.setSignatureMethod("RSA_SHA1");
    dst.setEnveloped(false);
    dst.setNamespacePrefix("ds");
    
    console.log("Digest Method ...: " + dst.getDigestMethod());
    console.log("Signature Method : " + dst.getSignatureMethod());
    console.log("is Enveloped?... : " + dst.isEnveloped());

    // Sign the document using keystore provate key alias "jack" with password "moon"
    console.log(dst.sign(ks, "jack", "moon"));
</script>

2 Examples

The following example signs an XML document.

Copy

<script>
    // Load a keystore
    var ks = new Ax.ks.KeyStoreManager("https://bitbucket.org/deister/axional-docs-resources/raw/master/KeyStores/swview/jks-files/jack.jks", "secret");
    
    // Load an XML document
    var src = new Ax.xml.XMLDocument(new Ax.net.URL('https://bitbucket.org/deister/axional-docs-resources/raw/master/XML/books.xml'));
    
    // Sign the document using keystore provate key alias "jack" with password "moon"
    var dst = new Ax.crypt.XMLDSig(src).sign(ks, "jack", "moon");
    
    // Show the returned XML document String
    console.log(dst);
</script>

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<catalog>
    <book id="bk101">
        <author>Gambardella, Matthew</author>
        <title>XML Developer's Guide</title>
        <genre>Computer</genre>
        <price>44.95</price>
        <publish_date>2000-10-01</publish_date>
        <description>An in-depth look at creating applications with XML.
        </description>
    </book>
    ...
    <book id="bk112">
        <author>Galos, Mike</author>
        <title>Visual Studio 7: A Comprehensive Guide</title>
        <genre>Computer</genre>
        <price>49.95</price>
        <publish_date>2001-04-16</publish_date>
        <description>Microsoft Visual Studio 7 is explored in depth,
          looking at how Visual Basic, Visual C++, C#, and ASP+ are 
          integrated into a comprehensive development 
          environment.
        </description>
    </book>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <Reference URI="">
        <Transforms>
            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue>zolcPXUMCIref0InS0KhgpYS6u7J6SgrAEpj//MjClU=</DigestValue>
    </Reference>
</SignedInfo>
<SignatureValue>TtFgg6rNkwBtwshvmocjcFk2hbDYivf20ywWEgEXN7onIAXMP3sk9yHR35IssO8s6rS0BWb7LTf6&#13;
AwM3d3nogv3g18uZUDyjI9qOX6XeDP5/K/rzC1gie0OV9EMBJ7PWoigB1K97I+Ab1nSzLs6kQkja&#13;
VLCGd82FYaEOLTkZ6Es=</SignatureValue>
<KeyInfo>
    <X509Data>
        <X509SubjectName>CN=Jack Daniel,OU=Training,O=Software View,L=Colombo,ST=Western,C=LK</X509SubjectName>
        <X509Certificate>MIIC9jCCAl+gAwIBAgIJAParOnPwEkKlMA0GCSqGSIb3DQEBBQUAMIGKMQswCQYDVQQGEwJMSzEQ&#13;
        MA4GA1UECBMHV2VzdGVybjEQMA4GA1UEBxMHQ29sb21ibzEWMBQGA1UEChMNU29mdHdhcmUgVmll&#13;
        dzERMA8GA1UECxMIVHJhaW5pbmcxLDAqBgNVBAMTI1NvZnR3YXJlIFZpZXcgQ2VydGlmaWNhdGUg&#13;
        QXV0aG9yaXR5MB4XDTEwMDcxMDA2MzMxOFoXDTI0MDMxODA2MzMxOFowcjELMAkGA1UEBhMCTEsx&#13;
        EDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xFjAUBgNVBAoTDVNvZnR3YXJlIFZp&#13;
        ZXcxETAPBgNVBAsTCFRyYWluaW5nMRQwEgYDVQQDEwtKYWNrIERhbmllbDCBnzANBgkqhkiG9w0B&#13;
        AQEFAAOBjQAwgYkCgYEAqAIsXru2kWzNXidrgyapDb7GdmhUwNFx1rOimDyu2RrJN9sIv0Zi2B0K&#13;
        p1xSQiBPWabXbtt3wB1LzS2P19tMC+MW7BTYz0mRg4n9vSoa+mTJ3Ea6/v4W97a701BSEOlTxysV&#13;
        ltqgO+D3gD9uNVpjiCNjXP3FlXrw44aDnXwme3sCAwEAAaN7MHkwCQYDVR0TBAIwADAdBgNVHQ4E&#13;
        FgQUDp+pbeXQHmYiubDctF8b+C4g6V0wHwYDVR0jBBgwFoAU1rdiaEM7sE7BtSqZhTWT9Tqn9RQw&#13;
        LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMA0GCSqGSIb3DQEB&#13;
        BQUAA4GBACcLqPwC9cATSqe+Kes5r6kcgo8eN3QME+HVSQocFSaRVrZ8iOrl0NAXway2JOGdjIFC&#13;
        n2gU4NAkrDAzjJ1AlwrfCT/1FDL5hu4BTdY13ZpwBf5MU6LB6x2tc+Jbo4bQrskEEIfGpOcyuB/w&#13;
        BJtJQeONjLuY2ouX9pvaaHj2cpzS</X509Certificate>
    </X509Data>
</KeyInfo>
</Signature>
</catalog>